Hello,
I believe there is an injection attack that took place on our 4.2.3 forum.
At first just 1 or 2 users experienced a small adware that came up on the top left of the forum, on some page loads, but it was just the one person so I had them do malware scans etc. Probably just them.
Then I had my server scanned by the hosting company for malware, found none, just to be sure.
Then today multiple users are reporting the red Google popup saying the domain has malware.
I've run multiple tools to test my domain such as AVG, McAfee, Mxtoolbox and all say there is nothing wrong, no blacklists etc.
However, using Webmaster Tools, there seems to be one js script injected before the DOCTYPE which is most likely the problem. I can't see this <script> using normal view-source option in the browser, nor with F12 tools etc. The only way I've seen this script is viewing raw return data with CURL and with Webmaster Tools.
The script being injected looks like this:
I replaced a bunch of the URL with periods for brevity.
I need to find out how to remove the injection attack, and make sure the site is clean, and find out how it happened.
As far as plugins, I only run four: disable lockout notification emails, spam-o-matic, rotating banner system, and tapatalk. I don't even use the Blog or CMS. I've had these plugins installed for years and years, nothing is new.
I have tried searching the source files of VB but the pure text of the injection is not in there, so I don't know how they are masking the code. I'm trying to search the database and templates for where the injection is taking place, but not having luck.
I have ran the suspect file tool, it only returns the files which are not part of VB but which I know are valid, like my own files, or plugin files etc.
I need the proper method to track this down and remove it, find out why it happened, and plug the hole!
I believe there is an injection attack that took place on our 4.2.3 forum.
At first just 1 or 2 users experienced a small adware that came up on the top left of the forum, on some page loads, but it was just the one person so I had them do malware scans etc. Probably just them.
Then I had my server scanned by the hosting company for malware, found none, just to be sure.
Then today multiple users are reporting the red Google popup saying the domain has malware.
I've run multiple tools to test my domain such as AVG, McAfee, Mxtoolbox and all say there is nothing wrong, no blacklists etc.
However, using Webmaster Tools, there seems to be one js script injected before the DOCTYPE which is most likely the problem. I can't see this <script> using normal view-source option in the browser, nor with F12 tools etc. The only way I've seen this script is viewing raw return data with CURL and with Webmaster Tools.
The script being injected looks like this:
HTML Code:
<script type='text/javascript' src='http://animal.bigtube.uno/servlet/adx/.............'>
I need to find out how to remove the injection attack, and make sure the site is clean, and find out how it happened.
As far as plugins, I only run four: disable lockout notification emails, spam-o-matic, rotating banner system, and tapatalk. I don't even use the Blog or CMS. I've had these plugins installed for years and years, nothing is new.
I have tried searching the source files of VB but the pure text of the injection is not in there, so I don't know how they are masking the code. I'm trying to search the database and templates for where the injection is taking place, but not having luck.
I have ran the suspect file tool, it only returns the files which are not part of VB but which I know are valid, like my own files, or plugin files etc.
I need the proper method to track this down and remove it, find out why it happened, and plug the hole!
Comment